https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24412 --- Comment #124 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 113236 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=113236&action=edit Bug 24412: (follow-up) prevent js injection Some js variables are not properly escaped and can be executed if containing javascript. 1. have some waiting reserve attached to a desk 2. change this desk name to : <script>alert("❤");</script> 3. go to user's checkout page (circulation.pl) and click on the Hold(s) tab 4. you should see some popup with a ❤ in it. 5. apply patch and refresh page 6. now you should see the desk name printed properly in the page: <script>alert("❤");</script> -- You are receiving this mail because: You are watching all bug changes.